Troubleshooting high server loads on Linux servers

Technical support analysts often receive tickets about high server loads. The cause of high server loads is very rarely attributed to defects in the cPanel software or the applications it installs. High server loads are something that should be initially investigated by the server owner, their system administrator, or server provider.

What causes high server loads?

Excessive usage of any of the following items can typically cause this issue:

CPU

memory (including swap)

disk I/O

How can I check these items?

That depends whether you want to review their current resource usage, or historical resource usage. This tutorial will cover both.

A brief lesson on "sar"

Historical resource usage can be viewed using the "sar" utility, which should exist by default on all cPanel servers from the sysstat package. The stats are collected when sysstat runs from cron (/etc/cron.d/sysstat). If crond is not running, sysstat will not be able to collect historical statistics.

To view resource usage histories from sar, you must provide the path to the file that corresponds with the date of the stats.

For example, if you wanted to view the load averages for your server from the 23rd of the month, you would run this command:

Code:

[user@host ~]$ sar -q -f /var/log/sa/sa23

The command above uses '-q' to obtain the load average information, and '-f' to specify which sar file to obtain the information from. Note that sar may not have historical data going back more than a week or so.

You do not need to specify the date when viewing the statistics for the current day. As such, this command would show the load average for today:

Code:

[user@host ~]$ sar -q

You are strongly encouraged to read the documentation for sar:

Code:

[user@host ~]$ man sar

It provides statistics for many things that can be helpful to know about.

Current CPU usage

Run "top", and on the line that says "Cpu(s)", check the "%id" section which shows the percentage of which your CPUs are idle. The higher the number the better. A 99% idle CPU is not doing much of anything, and a 1% idle CPU is heavily tasked.

Code:

[user@host ~]$ top c

Tip: hit "P" to sort by processes that are currently consuming the most CPU.

Historical CPU usage

Check the "%idle" column:

Code:

[user@host ~]$ sar -p

Current memory usage

Code:

[user@host ~]$ free -m

Tip: run "top c" and hit "M" to see which processes are consuming the most memory.

Historical memory usage

This depends on the version of sar, which used to use '-r' to show %memused and %swpused (swap memory used), but later changed to '-S' to show %swpused.

Check "%memused" and "%swpused":

Code:

[user@host ~]$ sar -r

OR:

Code:

[user@host ~]$ sar -r

Code:

[user@host ~]$ sar -S

A note about memory usage: it is normal to see much of the server's memory being used. Why? Because the OS loves to cache things in memory. Why? Because accessing data from memory is extremely fast and far more efficient than using the server's disk(s).

As such, %memused isn't generally going to be much of an issue (unless perhaps you don't have a swap partition, but that's an issue in and of itself). You should focus on %swpused, which is what gets used when your server's physical memory is full. The lower the number, the better. A %swpused percentage of 0% would mean that your server currently has sufficient physical memory to perform its tasks.

How much %swpused is too much? That depends on your opinion of "too much". Generally speaking, a consistent low percentage of swap usage may not be an issue on your server. If you observe the %swpused increasing over time (e.g., from 1%, to 7%, to 32%), something on your server is consuming too much memory, and it would be wise to determine what that is (rather than just installing more memory). If your server ends up using all of its physical memory and swap memory, it may become unresponsive, requiring a reboot.

Current disk I/O usage

Note: this does not work on OpenVZ/Virtuozzo containers.

This will print the disk usage statistics 10 times, every 1 seconds. Check the %util column:

Code:

[user@host ~]$ iostat -x 1 10

Historial disk I/O usage

Code:

[user@host ~]$ sar -d

Good system administration involves knowing when your server's load is higher than acceptable. The main reason for this (other than preventing your server from becoming unresponsive and requiring a reboot) is to see what's taking place on the server while the load is high. Fast actions will enable you to troubleshoot the issue while it is occurring.

If your server's load was high from 2AM - 4AM while you were sleeping, you would have missed what took place. While sar can be helpful to show you what specific resources were high during that time, it won't tell you the cause of the high usage. There can be many causes, including DoS attacks, spam attacks, poorly designed php scripts which consume large amounts of memory, web spiders that crawl sites too aggressively, hardware issues, massive amounts of disk writes to a user's MySQL database, and much, much more.

The good news is that you can have much of this information collected and sent to you automatically while the load is high, which you can review later as needed. How? From your process list:

Code:

[user@host ~]$ ps auxwwwf

I have created a shell script for this, which is based off of a perl script that I used to run on servers that I managed. It was very useful to me in conjunction with other server monitoring (such as via Nagios). It checks 6 different things (more on this below), and emails you the current process list if any of them exceed your specific threshold.

This script is not developed, maintained, or supported by cPanel, Inc. Please do not open tickets about this script. If you experience any issues using it and require assistance, you can post a reply here, or consult an experienced system administrator. cPanel cannot provide support for this script.

The resources that are checked are as follows:

1 minute load average

kilobytes of swap used

kilobytes of memory usage

packets per second inbound

packets per second outbound

number of processes

How to use the script

To run the script automatically, set up a cron job that executes it as often as you'd like. I found every 5 minutes to be a good fit. The script does not need to be run as root, so do not run it as root.

If one of the resources has exceeded its user defined threshold, the script will send you an email that contains the current process list (ps auxwwwf).

IMPORTANT: You will need to adjust the values to your liking. There are no perfect default values. Why? Because different server environments are, well, different. For example, it may be preferred to set the 1 minute load average threshold higher for a server with 16 CPU cores than a server with just 1.

NOTE: You will need to add your email address to the "EMAIL" variable. For example:

Please feel free to post questions, comments, and anything else about troubleshooting server loads in this thread, or about the script, or anything else that comes to mind. This post will inevitably be missing some other useful troubleshooting items, and your comments are encouraged.

Not sure what has happened to cPanelTristan on the forums (don't see her posting much anymore) but her knowledge of Exim and her ability to help forum users with directives not commonly used was very helpful and much appreciated.

I have installed your script on 2 VPS. The first has a statefull firewall (LFD), the second not.
The first remains silent, load remains low.
On the second (no LFD), I am dealing with very high pps in and pps out rates (more than 30000) during minutes. Sometimes the server hangs with 100% disk-swap.
Is it DDOS? I Obviously should install LFD on the second!

My question is : how to show the pps in/out in the process list generated by your script?

30,000 pps is quite a lot. One way to be sure if it's a DoS or not is to use a sniffer such as tcpdump to see what's happening on the server when all of that traffic is being sent/received. tcpdump will show what traffic is being sent to and from your server. Do you have any automated backup processes that run which upload data to a remote FTP server, or something similar? Does the issue occur at around the same time each day? Those are some things to consider.

My question is : how to show the pps in/out in the process list generated by your script?

Click to expand...

I'm sorry but I don't fully understand. You are wanting to track which process(es) may be sending all of that traffic, correct? The ps command won't be able to show the amount of packets per second involving processes. You'll need to get a packet capture as described above to see what's taking place.

One way to be sure if it's a DoS or not is to use a sniffer such as tcpdump to see what's happening on the server when all of that traffic is being sent/received. tcpdump will show what traffic is being sent to and from your server.

You are wanting to track which process(es) may be sending all of that traffic, correct? The ps command won't be able to show the amount of packets per second involving processes. You'll need to get a packet capture as described above to see what's taking place.

Click to expand...

Ok, I will try to use tcpdump in a similar way you did in your script.

A new question about the swap : it looks like top is showing always increasing number for used swap. The used number seems never to diminish, always to increase, even if there is free memory. It is the same with your script : Swap use is always the same. For my first VPS (the one with LFD) that keeps cool, Swap use was 8% all the afternoon.

That's so much traffic I wonder if the script is getting accurate results from /proc . Do you have any bandwidth graphs to correlate the spike in traffic? Maybe your host has some MRTG graphs they can check or something similar. Does "sar -n DEV" agree with the output from the script for the times that the traffic occurred?

8% swap is a little high in my opinion, and could either be a sign of something using too much mem, or your server may just need additional physical memory added. You mentioned that there is still some free memory, however. How much is free? Run "free -m" and paste the output here in [ code ] [ /code ] tags (without the spaces).

That's so much traffic I wonder if the script is getting accurate results from /proc . Do you have any bandwidth graphs to correlate the spike in traffic? Maybe your host has some MRTG graphs they can check or something similar. Does "sar -n DEV" agree with the output from the script for the times that the traffic occurred?.

Following Jeff's advice to use tcpdump, I have found the origin of the problem. I discovered that somebody was over-using anonymous FTP.

For who may be interested, this is how I have done :
- log to the server as root with a SSH console;
- create a file somewhere on the server with root ownership, say /etc/log/tcpdump.log and chmod it 644;
- run :
tcpdump -w /var/log/tcpdump.log -i eth0
- when you feel you have enough data, stop tcpdump with Ctrl-C;
- download tcpdump.log on your local box;
- use Wireshark (Wireshark · Go deep.) to analyze the file (it is raw data, you can't read it directly); File -> Open your downloaded tcpdump.log;
- You probably will see something wrong. In my case, Statistics -> Conversations -> TCP : 757 showed a lot of trafic with a single IP.

Thank you for your updates. I'm happy to hear that helped! Another way to use tcpdump which you may find even quicker is this:

Code:

# tcpdump -i any -nn > tcpdump.log

That will output a plain text file called tcpdump.log which can be viewed directly from the shell with commands such as less, more, vi, nano, etc. If you just want to capture a certain amount of packets, use the -c option as well (e.g., -c 1000).

I'm pretty sure I know what the pps/bytes issue is (a space after the device name in /proc/net/dev). Can you please paste (or PM me) the output of these commands?

If I had to guess, I'd say you're not using OpenVZ/Virtuozzo or Xen, and your ETHDEV isn't eth0 (all of which is fine; I'm just trying to understand which environments may contain different output). If you can paste or send me that info, I would be very grateful.